SamSam and Atlanta: Don’t be the Next Victim

Over the last 5 years, we have seen a number of shifts in security technologies and targets. One thing that’s been evident is that no one is immune. In the past 12 months we have seen breaches affect HBO and Equifax in the corporate world; more than 200,000 systems affected in over 100 countries in less than 24 hours from the Ransomware/Wiperware known as WannaCry and NotPetya; nearly three quarters of a million patient medical record sets, compromised ePHI (data breaches) in just the first 2 months of 2018; and now Atlanta.

With the SamSam ransomware attack currently crippling 5 of Atlanta’s 13 local governmental departments, they have become just the latest in a series of attacks on government municipalities and major services provided by municipalities. Why? They, like most organizations, probably did not have an accurate understanding of the current threat landscape and consequently overestimated their cybersecurity posture, thus making them an easy target.

Most municipalities are primarily concerned with keeping their network up and operational, security is frequently a secondary consideration. Many are under the false impressions that an effective firewall will deter most hackers, they possess little information of value and/or any data of value they do have is secured by contractors.

Another misconception we frequently hear is “We have a multi-million-dollar cybersecurity policy, that will cover us if anything happens.” Cyber Security Insurance is NOT a Risk Management Program. We have been in interviews with Risk Managers that believe their comprehensive insurance policy covers them, even though they cannot speak to or identify their biggest threat sources, assets, or likelihood of occurrence. This is all too often written off as “the insurance agent’s job.”

The results of our Cybersecurity Risk Assessments are usually both shocking and eye-opening experiences for the CXOs reading the results. Most truly believe that their teams are doing all the right things and that their organization’s security posture is much more robust than we identify. They have been led to believe that it would take the resources of a 3rd world country to breach their technical and administrative countermeasures. One local municipality told us that “’Microsoft said our AD security structure is great, we have little or nothing to worry about from a hacker that gets a ‘regular user’s’ credentials as there is no way you can get to one of our DC’s without months of … .” This was being told to us as we were in the process of dumping the SAM database and creating an EA user account.

The old saying “You do not know what you don’t know” is not only true, it can be a fatal condition as many organizations are finding out, often after a ransomware event or a knock on their door from the FBI. Hypothetically, the FBI identified 100,000 utility customer records on the “Dark Web” including name, address, last 6 of SSN, DOB and security questions with answers. The questions you would likely be asked in that scenario are “Who, What, When, Where, especially WHY and HOW had you implemented measures to prevent the breach?”

A comprehensive Cybersecurity Risk Assessment actually tests the effectiveness of deployed technical and administrative countermeasures. Don’t let meeting simply regulatory compliance standards lull you into a false sense of security: meeting specific aspects of a compliance check doesn’t necessarily guarantee protection. For instance, you may have endpoint IPS deployed throughout your network, which would allow you to “check” the regulatory box. The problem is that 43% of systems are configured to alert only, and alerts going to a non-existent distribution group and all SQL, mail and file servers are included in that 43%: Cybersecurity Risk Assessment, FAIL, NO check. The deployed countermeasure is not effective at preventing vertical or lateral movement within the organization. This one (very real world) example was a failure of several technical and administrative countermeasures, yet the organization met the minimum-security requirements (the definition of compliant) of at least 2 governing bodies.

Don’t be the Next Victim! As larger organizations shore up their defenses, smaller municipalities and major services provided by these municipalities will be targeted more and more frequently. Get an independent Cybersecurity Risk Assessment and know what your real risks are as well as steps needed to take to mitigate those risks. Then and only then will your organization be able to know what risks it should transfer or share with insurance providers.